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Information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 


consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Q1 


Q2 


Q3 


Does the draft guidance cover the relevant issues about the right of access? 


No specific guidance eg in shared electronic records for health care. 

Patients go to their gp to release info and we can and do release our notes. BUT not 
clear if we should release the records we see and look at / are guided by but enetered 
by other health care professionals eg district nurses as we have no control over what 
they enter but can influence what we do and we can see that info 


Should we release eg info we see which is a community / DN / OT / Physio input but 
we cannot change but we can see 


What happens if a patient leaves our practice - can we release their info even if no 
longer our patient - lots of queries in health care 


Does the draft guidance contain the right level of detail? 
No 


10 or unsure/don't know, in what areas should there be more detail within the draft 
guidance? 


As above - combined notes where others can enter onto a shared platform but we 
cannot alter but can see and could influence our decisions 


Does the draft guidance contain enough examples o 
Unsure / don't know 


If no or unsure/don’t know, please provide any examples that think should be 
included in the draft guidance. 


? different examples for different areas as education does not apply to me 


eg several sets of the guidance with specific info eg employers, education, gPs etc 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Solicitors asking for notes on behalf of patients to trawl in case there are any 
negligence issues .. then asking again as nil found until a certain date so will keep 
asking for update on notes to keep trawling for mistakes 


Asking sev solicitors to look at a case 


Q5 On a scale of 1-5 how useful is the draft guidance? 
1 - Not at all a A> 
useful 
Q6 Why have you given this score? 


Because I am still confused as to what 
we should do in some cases and also 
there is a lot of stress in practices to 
get this right / lots of time and 
expense on trawling notes to remove 
info / look just in case 


—-<cemoane«<-o30737°7XM 
3 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Disagree 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Would like a clear gp only guide as to what we should release 
Can we just give on line access 
Should we send PDFs / do we have to send paper copies 


What happens if patient left practice 
What about shared health data ... where we have no influence over other people 
entering data 


Q9 Are you answering as: 


) 


An individual acting in a professional capacity 


ase specify the name of your organisation: 


GP - Norwich - castle partnership 


What sector are you from: 


health 


Q10 How did you find out about this survey? 

ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 
ICO newsletter 
ICO staff member 
S 
Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 

If other please specify: 


Oooo SO 


Thank you for taking the time to complete the survey. 


